Approov is an API security solution used to verify that requests received by your API services originate from trusted versions of your mobile apps.
This repo implements the Approov API request verification for the Mulesoft API Gateway, which performs the verification check on the Approov Token before allowing valid traffic to reach the API endpoint.
If you are looking for another Approov integration you can check our list of quickstarts, and if you don't find what you are looking for, then please let us know here.
The quickstart assumes that you already have an Mulesoft API Gateway running, and that you are familiar with the options for applying changes. If you are not familiar with the Mulesoft API Gateway then you may want to follow the step by step Mulesoft API Gateway Example instead.
The quickstart was tested with the following Operating Systems:
- Ubuntu 20.04
- MacOS Big Sur
- Windows 10 WSL2 - Ubuntu 20.04
First, setup the Approov CLI.
Next, enable your Approov admin
role with:
eval `approov role admin`
For the Windows powershell:
set APPROOV_ROLE=admin:___YOUR_APPROOV_ACCOUNT_NAME_HERE___
Now, register the API domain for which Approov will issues tokens:
approov api -keySetKID mule -add api.example.com
Next, create the Approov key set that will be used to sign the Approov tokens for your API:
approov keyset -add RS256 -keyLength 2048 -kid your-api-name
Now, get the public key from the Approov keyset configured for your API:
approov keyset -kid your-api-name -getPEM public-key.pem
Next, create one line string for the public key with:
awk 'NR>2 { sub(/\r/, ""); printf "%s\\n",last} { last=$0 }' public-key.pem > public-key-string.pem
Now, apply the Mulesoft policy with:
anypoint-cli api-mgr policy apply \
--policyVersion 1.2.0 \
--config "{\"jwtOrigin\":\"customExpression\", \"jwtKeyOrigin\":\"text\", \"textKey\":\"$(cat public-key-string.pem)\", \"jwtExpression\":\"#[attributes.headers[\\\"Approov-Token\\\"]]\", \"signingMethod\":\"rsa\", \"signingKeyLength\":\"256\", \"jwksUrl\":\"example.com\", \"skipClientIdValidation\":true, \"clientIdExpression\":\"#[vars.claimSet.client_id]\", \"validateAudClaim\":false, \"mandatoryAudClaim\":false, \"supportedAudiences\":\"aud.example.com\", \"mandatoryExpClaim\":true, \"mandatoryNbfClaim\":false, \"validateCustomClaim\":false}" \
___YOUR_API_INSTANCE_ID___ jwt-validation
NOTE: Some of the config keys have placeholder values because they are required to be presented when applying the policy, but aren't used at runtime.
Not enough details in the bare bones quickstart? No worries, check the detailed quickstart that contain a more comprehensive set of instructions, including how to test the Approov integration.
If you find any issue while following our instructions then just report it here, with the steps to reproduce it, and we will sort it out and/or guide you to the correct path.
If you wish to explore the Approov solution in more depth, then why not try one of the following links as a jumping off point: